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APPARATUS TO IMPLEMENT DUAL HASH ALGORITHM 

Apparatus Is disclosed which Is arranged to accept digital data as an 
input, and to process said data according to one of either the Secure 
Hash Algorithm (SHA-1) or Message Digest (MD5) algorithm to 
produce a fixed length output word. The apparatus includes a 
pluraity of rotational registers for storing data, one of the registers 
being arranged to receive the input data, and data stores for 
initialisation of some of said plurality of registers according to 
whether the SHA-1 or MD5 algorithm is used. The data stores 
Include fixed data relating to SHA-1 and MD5 operation. Also 
included is a plurality of dedicated combinatorial logic circuits 
arranged to perform logic operations on data stored in selected ones 
of said plurality of registers. 
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DUAL HASH ALGORITHM IMPLEMENTATION 

Background of the invention 

5 The present invention relates to an efficient hardware implementation of the Secure 
Hash Algorithm (SHA-1) and Message Digest Algorithm (MD5). 



Description of the Prior Art 

Hash algorithms and message digests are frequently used in applications such as 
10 digital signatures, where it is desirable to verify the authenticity of a document or file. 

Techniques for producing message digests are beneficial as they reduce the amount 
I of data processing needed to a manageable and consistent level. 

The Secure Hash algorithm (SHA-1) is specified in Secure Hash Standard (FIRS 
1 5 PUB 1 80-1 ), and is an algorithm which operates on an input data file to produce a 

• » ■ 

condensed representation of that file. Specifically, an message pf arbitrary length is 
processed to produce a message digest consisting of exactly 160 bits. 

* « 

The Message Digest Algorithm (MD5), developed by Professor Ronald Rivest, has a 
20 similar function. It accepts inputs of arbitrary length and produces an output 
message digest consisting of exactly 128 bits. 



Both algorithms rhay be used as a constituent part of a digital signature application. 
Both algorithms are computationally intensive and, when implemented in software, 
25 as is the norm in prior art systems, can take a great number of processor clock 
cycles to complete. 

The present invention therefore aims to overcome problems with the prior art 
implementation of these systems, particularly in relation to speed of operation and 
30 power consumption. 



Summary of the Present Invention 

In a first broad form the present invention provides apparatus arranged to accept 
digital data as an input, and to process said data according to one of either the 
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Secure Hash Algorithm (SHA-1 ) or Message Digest (MD5) algorithm to produce a 
fixed length output word, said apparatus including: a plurality of rotational registers 
for storing data, one of said registers being arranged to receive the input data; and 
data stores for initialisation of some of said plurality of registers according to whether 
5 the SHA-1 or MD5 algorithm is used, said data stores including fixed data relating to 
SHA-1 and MD5 operation; and a plurality of dedicated combinatorial logic circuits 
arranged to perfomi logic operations on data stored in selected ones of said plurality 
of registers. 



0 Preferably, the register arranged to receive the input data is arranged to receive said 
input data serially. 

Preferably, the registers and combinatorial logic circuits are interconnected for 
communication via a pair of data busses. It is particulariy preferable if the registers 
and combinatorial logic circuits are connected to write to. a respective bus via 
respective tristate buffers. 

Preferably, the apparatus includes a control circuit arranged to generate individually 
gated clock signals for each register. This results in lower power consumption as 
only active registers need to be clocked. 

Preferably, the control circuit is further arranged to generate individual enabling 
signals to control the tristate buffers. The control circuit may be implemented as a 
dedicated state machine, or by another means such as a microcontroller. 

Preferably, the rotational registers are arranged to be multiplexed prior to connection 
to a tristate buffer. This results in a lower bus loading. 

Preferably, the combinatorial logic circuits include a copy circuit, a shift left circuit, a 
NOT circuit, an ADD circuit, an OR circuit, an AND circuit and an XOR circuit. Each 
circuit is dedicated to its particular task, avoiding redundancy. 
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Preferably, the apparatus is implemented as an integrated circuit, typically of the 
ASIC type. The apparatus may be incorporated with other apparatus, typically digital 
signature apparatus. 

5 

Embodiments of the present invention utilise the fact that both algorithms may be 
broken down into a series of individual steps. Prior art approaches to implementing 
the algorithms in software do not utilise any specialised hardware components, 
which results In a relatively slow process. However, embodiments of the invention 
10 identify, where possible, the common elements between the MD5 and SHA-1 
algorithms and provide specialised hardware components to achieve the required 
functionality. Hardware is selected which allows for the maximum sharing of 
components and hence the minimum overall component count 

« 

1 5 Embodiments of the present invention allow a relatively small number of dedicated 

« 

components to be used in a circuit to efficiently calculate either MD5 or SHA-1 
message digests. Since the operations involved in both algorithms are similar, the 
circuit can be optimised to allow components which are common to both algorithms 
to be provided only once. Allowing either of the algorithms to be used in calculating 
20 a message digest is advantageous as there are several digital signature systems 
operational which make use of one or other of the SHA-1 or MD5 algorithms. 
Systems utilising an embodiment of the invention benefit from increased flexibility 
and speed. 

25 Brief Description of the Drawings 

For a better understanding of the present Invention and to understand how the same 
may be brought Into effect, the invention will now be described by way. of example 
only, with reference to the appended drawings in which: 

30 Figure 1 shows a view of the architecture of the combined SHA-1 and MD5 
processor; and 

Figure 2 shows a view of the control circuit used to control the architecture shown in 
Figurel . 
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Detaiied Description of the Preferred Embodiments 

Figure 1 shows a customised architecture which is arranged to receive a data input 
150, process it using the shown elements, and produce a data output 155, The 
5 hardware shown is able to perfomi either SHA-1 or MD5 processing on the input 
data, and has been optimised in order to minimise the amount of hardware needed 
to perform either one of the algorithms. 

The circuit includes a plurality of registers for storing data. There are ten registers 
10 provided in two banks 110, 115 for storing part of the data being processed. In 
addition, two temporary registers 120, 135 are provided for intermediate processing 
and temporary storage. Also provided are two banks 125. 130 of circular shift 
registers W15[31 :0] - W0[31 :0]. Register W15 of bank 125 is arranged to receive the 
input data 150. Any data held in W15 at that time is shifted to .W14; the data in W14 
15 is shifted to W13 and so on, until the data held in WO is lost. The outputs of banks 
125 and 130 are multiplexed before being attached to the read bus 1.40 by a tristate 
buffer in order to reduce bus loading. 

t 

The registers are mutually interconnected for communication via a read bus 140 and 
20 a write bus 145. 

The read bus 140 is connected to a range of logic circuits which provide 
combinatorial functions. These functions are: Copy (CP) 200, Shift Left multiple 
positions (SL*) 205, NOT 210. ADD 215, OR 220, AND 225, XOR 230 and Shift Left 
25 one position (SL1) 235. Functions 200, 205, 210 require only a single input variable 
and receive it directly from the read bus 140. The other functions 215, 220. 225 and 
230 require two input variables and receive one from the read bus 140 and the other 
from a temporary register (ACCU[31 :0]) 135. Register 135 also provides the input for 
shift register 235. 

30 

Also connected to the read bus via a multiplexer and a tristate logic gate Is a bank 
160 of registers including fixed constants used In the initialisation of the circuit for 
either SHA-1 or MD5 mode calculations. K[t] is provided for initialisation of SHA-1 , 
and T[i] is provided for initialisation of MD5. In total, approximately seventy five 
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constants each having a length of 32 bits are required, and grouping them together 
in this fashion allows them to be conveniently accessed. The synthesis tool which 
places the gates in the finished custom device is then able to optimise the logic, 
resulting in a smaller gate count, and thus a smaller area of silicon os required. 

5 

Calculation of either SHA-1 or MD5 requires the use of selected ones of the provided 
registers and combinatorial functions. In particular, calculation of the SHA-1 
algorithm uses all the registers of bank 110 and of bank 115. Calculation of MD5 
requires only the use of four registers (HO - H3) of bank 110 and four registers (A-D) 

10 of bank 115. This allows the unused registers to be used .for temporary storage if 
required. However, when the result of the calculation 155 is unloaded from register 

• HO of bank 110, all five registers are read since they are implemented as shift 
registers, and this ensures that their contents are unchanged. 

* 

« 

1 5 All devices which can output data to the read bus 140 are connected to the bus via a 
tristate buffer. Each buffer is Individually enabled via a contnal signal created by the 
control circuit shown in Figure 2. Likewise, the combinatorial functions 200-235 
which can write data onto the write bus 145 are connected to the write bus via 
Individually controllable tristate buffers. 

20 

The group of clock signals 345 to individual registers are created from a master clock 
signal 340. The master clock signal is ANDed with a control signal to create a gated 
clock signal for the appropriate register. In this way, the energy consumption of the 
complete circuit is reduced as only active registers need to be clocked. 

25 

Figure 2 shows the a top level view of the control circuit 400 which generates the 
various control signals for the circuit of Figure 1. In particular, it generates, from a 
master clock signal 340. a series 345 of gated Individual clock signals which are 
used to clock the various registers of Figure 1 . It also generates individual enable 
30 signals for each of the tristate buffers shown in Figure 1 . The control circuit mat take 
the form of a finite state machine including associated controlling circuits. 

The following pseudo-code represents the steps perfomned in calculating a message 
digest according to the SHA-1 algorithm on an input data word of arbitrary length. 
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The high level algorithm details in broad terms the steps taken in performing a 
calculation according to the SHA-1 algorithm. The following more detailed code 
provides step by step instructions on performing the individual instnjctions needed to 
calculate the message digest. 

5 

SHA-l Algorithm 

// High Level Algorithm 

initialize SHA-1 internal registers (H0,H1,H2,H3,H4) 
10 foreach Mi, block of 512 bits of M do 

load Mi into data registers W[0] to W[15] 
\ start core SHA-1 
end 

unload H0,H1,H2,H3,H4 

15 

//Detailed steps 

• SHA-l initialization 
20 HO = 67452301 

HI = EFCDAB89 

H2 = 98BADCFE 
J • H3 = 10325476 

H4 = C3D2E1F0 

25 

Core SHA-1 

A=H0, B=H1, C=H2, D=H3 , E=H4 
MASK=OO00OOOF 
for t=0 to 79 do 
30 s = t and MASK; 

if (t>=16) W[s] = SLli W[{s + 13) and MASK] xor 

W[(s + 8) and MASK] xor 

W[(s + 2) and MASK] xor W[s]); 

end if 
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TEMP = SL5{A)+ ft(B,C,D)+E +W[s]+K[t] 
E=D, D=C, C=SrL30(B), B-A, A=TEMP 
end for 

HG =HO+A, HI =::H1+B, H2 =H2+C, H3=H3+D, H4=H4+E 

5 

// The functions SLl, SL5 and SL30 are circular left rotation 
//of the 32 bit operand by 1 bit, 5 bits and 3 0 bit 
// respectively. 

// The constants Kt are defined by the following; 

10 

Kt = 5A82 7999 ( 0 <= t <= 19) 
Kt = 6ED9 EBAl {20 <= t <= 39) 
Kt = BFIB BCDC (40 <= t <= 59) 
Kt = CA62 C1D6 (60 <= t <= 79) . 

15 

"// The functions ft(B,C,D) is defined by the following: 
ft (B,C,D) = (B and C) or ({not B) and D) (0 <= t <= 19) 
ft {B,.C,D) = B xor C xor D (20 <= t <= 39) 

ft (B,C,D) = (B and C) or (B andD) or (C and D) (40 <= t <= 
20 59) 

ft (B,C,D) = B xor C xor D (60 <= t <=79) . 



The following pseudo-code represents the steps performed in calculating a message 
25 digest according to the MD5 algorithm on an input data word of arbitrary length. 

MD5 Pseudo Algorithm 

// Here, the four auxiliary functions that each take as input 
// three 3 2 -bit words and produce as output one 3 2 -bit word 
30 // are defined: 



F(X,Y,2) 
G(X,Y,Z) 
H(X,Y,Z) 



= (X and Y) or {not(X) and Z) 
= (X and Z) or (Y and not(Z)) 
= X xor Y xor Z 
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I(X,Y,Z) = y xor (X or not(Z)) 

// A 64-element table T[l ... 64] constructed from the sine 
// function is defined. Let T[i] denote the i-th element of 
5 // the table, which is equal to the integer part of 4294967296 
// times abs(sin(i)), where i is in radians. 

High Level Algorithm i 

initialize MD5 internal registers {H0,H1,H2,H3) 
10 foreach Mi, block of 5X2 bit of M do 

load Mi into data registers W[0] to W[15] 

start core MD5 

en.d 

unload HO, HI, H2, H3 . 

15 

* 

MD5 initialization ■ " . 

HO = 67 45 23 01 " 
HI = ef cd ab 89 
, H2 = 98 ba dc fe 
20 H3 = 10 32 54 76 

Core MD5 
. A=:HO, B=H1, C=H2, D=H3 

25 // Round 1. 

// Let [abed k s i] denote the operation 

// a = b + ( (a + F(b,c,d) + w [k] + T[i]) <<< s) , 

//Do the following 16 operations. 

30 [ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4] 

[ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8] 

[ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12] 

[ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16] 
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/ / Round 2 . 

// Let [abed k s i] denote the operation 

// a = b + ((a + G(b,c,d) + W [kl + T[i]) «< s) . 

// Do the following 16 operations. 

5 

[ABCD 1 5 17] [DABC 6 9 18] [CDAB 11 14 19] [BCDA 0 20 20] 
[ABCD 5 5 21] [DABC 10 9 22] [CDAB 15 14 23] [BCDA 4 20 24] 
[ABCD 9 5 25] [DABC 14 9 26] [CDAB 3 14 27] [BCDA 8 20 28] 
[ABCD 13 5 29] [DABC 2 9 30] [CDAB 7 14 31] [BCDA 12 20 32] 

10 

/ / Round 3 . 

') II Let [abed k s i] denote the operation 

// a = b + ((a + H(b,c,d) + W[k] + T[i]) <« s) . 
// Do. the following 16 operations. 
15 ■ 

[ABCD 5 4 33] [DABC 8 11 34] [CDAB 11 16 35] [BCDA 14 23 36] 
[ABCD 1 4 37] [DABC 4 11 38] [CDAB 7 16 39] [BCDA 10 23 40] 
[ABCD. 13 4 41] [DABC 0 11 42] [CDAB 3 16 43.] [BCDA 6 23 44] 
[ABCD 9 4 45] [DABC 12 11 46] [CDAB IS 16 47] [BCDA 2 23 48] 

20 

// Round 4. 

// Let [abed k s i] denote the operation 
, // a = b + ((a + l(b,c,d) + W [k] + T[i]) «< s) . 
// Do the following 16 operations. 

25 

[ABCD 0 6 49] [DABC 7 10 50] [CDAB 14 15 51] [BCDA 5 21 52] 
[ABCD 12 6 53] [DABC 3 10 54] [CDAB 10 15 55] [BCDA 1 21 56] 
[ABCD 8 6 57] [DABC 15 10 58] [CDAB 6 15 59] [BCDA 13 21 60] 
[ABCD 4 6 61] [DABC 11 10 62] [CDAB 2 15 63] [BCDA 9 21 64] 

30 

HO =H0+A, HI =H1+B, H2 =H2+C, H3=H3+D 

The information below sets out the so-called atomic operations which are required to 
perform the different algorithm calculations. The following steps indicate the 
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operation number, the operation performed, and the status of the read 140 and write 
145 busses. Each operation listed below talces exactly one clock cycle. 



SHA-l ALGORITHM 



5 


initialization 








## 


operation 


Readbus 


Writebua 




01. 


A := HO 


HO 


(copy) 




02 . 


B := HI 


HI 


(copy) 




03 . 


C :== H2 


H2 


(copy) 


10 


04. 


D := H3 


H3 


(copy) 


1 


05- 


E := H4 


H4 


(CODV) 




0<==t<=15 










## 

• 


operation 


• 

Readbus 


Wr i tebus 


15 


01. 


ACCU := B 

■ 


B 


• 




02 . 


TMP := ACCU and C 


C 


(and) • 




03.' 


ACCU := NOT B 


B 


(not) 




. 04. 


ACCU := ACCU and D 


D 


I and ) 




05. 


ACCU := ACCU or TMP 


TMP 


(or) 


20 


06. 


ACCU := ACCU + W[0] 


W[0] 


( + ) 




07. 


ACCU := ACCU + E 


E 


( + ) 




08 . 


TMP : = SL5 (A) 


A 


(SIi5) 


* 


09. 


ACCU := ACCU + TMP 


TMP 






10 . 


TMP := ACCU + Kit] 


K[t] 


( + ) 


25 


11. 


E := D 


D 


V t-opy; 




12 . 


D := C 


C 


(copy) 




13 . 


C := SL30 (B) 


B 


(SL30) 




14. 


B := A 


A 


(copy) 




15. 


A TMP 


TMP 


(copy) 


30 


16. 


ROTATE W[i] 








16<=t<=19 










## 


operation 


Readbus 


Wri tebus 




01. 


ACCU := B 


B 


(copy) 
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10 



15 



20 



02 . 


TMP := ACCU and C 


c 


(and) 


03 . 


ACCU : = NOT B 


B 


(not) 


04 . 


ACCU := ACCU and D 


D 


(and) 


05. 


TMP := ACCU or TMP 


TMP 


(or) 


06. 


ACCU := W[13] 


W[13] 


(copy) 


07. 


ACCU := ACCU xor W[8] 


W[8] 


(xor) 


08 . 


ACCU := ACCU xor W[2] 


W [2] 


(xor) 


09. 


ACCU := ACCU xor W[0] 


W[0] 


(xor) 


10 . 


W[0] SLl 


(ACCU) 


(SLl) 




ACCU wroi 


W [01 


( conv) 


12. 


ACCU := ACCU + TMP 


TMP 


(+) 


13. 


ACCU := ACCU + E 


E 


(+) 


14 . 


TMP : = SL5 (A) 


A 




15. 


ACCU := ACCU + TMP 


TMP 


(+) 


16. 


• 

TMP := ACCU K[t] 

m 


« 

Kftl 


(+) 


17 , 


• E := D 


• 

D 


(copy) 


18 . 


D := C 


C 


(copy) 


19. 


C := SL30 (B) 


B 


(SL30) 


20 . 


B A 


A 


(copy) 


21. 


A := TMP 


TMP 


(copy) 


22 . 


ROTATE W[i] 







20<=t<=39 and 60<=t<=79 



£ inal round 



25 



30 



## 


operation 


01. 


ACCU 


:= A 


02 . 


HO : = 


ACCU 


03 . 


ACCU 


:= B 


04. 


HI : = 


ACCU 


05, 


ACCU 


:= C 


06. 


H2 : = 


ACCU 


07. 


ACCU 


:= D 


08. 


H3 : = 


ACCU 


09 . 


ACCU 


:= E 



Readbus 
A 

HO 
6 
HI 
C 

H2 
D 
H3 
E 



Writebus 

(copy) 
(+) 

(copy) 
( + ) 

(copy) 
( + ) 

(copy) 
( + ) 

(copy) 
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H4 



( + ) 



5 jyiDS ALGORITHM 





initialization 








## 


operation 


JiVCSCIhV i VJf u s 


yvrxceJ3u& 




01. 


A := Hp 




(copy) 




02. 


B := HI 


riX 


(copy) 


10 


03 . 


C := H2' 




(copy) 




04. 


D := H3 


rlj 


(copy) 


i 


Round 1 


(16 iterations) : 0<=i<=15; 


ICssO • ^ = 7 1*7 1 


, ±Z , X7 , 22 




## 


operation 


Readiaua 


n f J. ^ ej3us 


15 


• 01. 


ACCU := B 


JLJ 

m 


Ccopy) 




02 . 


TMP := ACCU and C 


c 






03 . 


* ACCU := NOT B 


B 


( nrjf- ^ 




04. 


ACCU := ACCU and D 


D 






05 . 


TMP : = ACCU o-r TMP 


TMP 






06. 


ACCU := W[k] 


W[k] 


(copy) 




07. 


ACCU := ACCU + A 


A 


( + ) 




08. 


ACCU := ACCU + T[i] 


T[i] 


( + ) 




09. 


TMP := ACCU + TMP 


TJVIP 


( + ) 




10. 


ACCU := SL[s] (TMP) 


TMP 


(SL[s] ) 


25 


11 . 


TMP : = ACCU + B 


B 


( + ) 




12 . 


A :« D 


D 


(copy) 




13 . 


D := C 


c 


(copy) 




14, 


C := B 


B 


(copy) 




15. 


B :=: TMP 


TMP 


(copy) 


30 


16 . 


ROTATE W[k] 







Preparation for Round 2 
01. ROTATE W[k] 
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Round 2(16 iterations) : 16<=:i<=31; k=l; 3=5,9,14,20,5,9,14,20,5 



## operation Readbus Writebus 

01. ACCU := B B (copy) 

02. TMP := ACCU and D D (and) 
5 03. ACCU := NOT D D (not) 

04. ACCU := ACCU and C C (and) 

05. TMP := ACCU or TMP TMP (or) 

06. ACCU := W[k] W [k] (copy) 

07. ACCU := ACCU + A A ( + ) 
10 08. ACCU := ACCU + T [i] T[i] ( + ) 

09. TMP := ACCU + TMP TMP ( + ) 

10. ACCU := SL[s](TMP) TMP (SL[s]) 

11. TMP := ACCU + 6 B ( + ) 

12 . A : = D D (copy) 

15 13. D := C C (copy). 

14. C B • B (copy) 

• 15. B := TMP TMP (copy) 



16. ROTATE W[k] 

17. ROTATE W[k] 
20 18. ROTATE W[k] 

19. ROTATE W[k] 

2 0 . ROTATE W [k] 
Preparation for Round 3 

01. ROTATE W[k] 
25 02. ROTATE W [k] 

03 • ROTATE W [k] 
04. ROTATE W [k] 

Ro\ind3(16 iterations) : 32<=i<=47 ; k=5; 3=4,11,16,23,4,11,16 

30 As an example of how the information above should be interpreted, step number 2 of 
the SHA-1 initialisation section relates to the operation B:= H1, meaning that the 
register B is set to the value stored in HI. To achieve this, the tristate buffer 321 of 
register H1 and the tristate buffer 301 of the copy logic are enabled together. At the 
same time, the clock to register B is enabled, resulting in the data in HI being written 



wo 2004/042602 




CT/SG2002/000245 



-14- 

into B, The tristate buffer control and clock signals are generated by the control 
circuit 400. 

Sinnilarly, step number 10 in the SHA-1 0<= t <= 15 stage relates to the operation 
5 TMP := ACCU + K[t]. The multiplexer and tristate buffer 332 is enabled for K[10]. The 
tristate buffer 304 is enabled for the ADD logic 215 and a gated clock signal is 
created and applied to the TMP register 120. In this way, the rising clock signal 
causes the sum of the data in K[10] and ACCU to be written into the TMP register. 

10 The last instruction in the 0<= t <= 15 stage for SHA-1 (and the 0<= i <= 15 stage for 
MD5) causes the entire Wi chain to be rotated, so that W14 is loaded with the data, 
previously in W15, W13 receives the data previously In W14, and W15 receives the 
data previously in WO. Advantageously, this instruction may be implemented in 
parallel with the instruction above it (Step 15) as the rotate instnjction does not 

15 involve placing data onto the data bus. In this way. one clock cycle per iteration is 
saved, leading to a total saving of 80 cycles for SHA-1 and 64 cycles for MD5, 

The embodiment presented has a bus width of 32 bits. However, it is possible to 
reduce the bus width to reduce the silicon area of the design at the expense of 
20 operational speed. If the bus width is reduced to 16 bits, each 32 bit XOR operation, 
for example, will take two cycles rather than one cycle if a 32 bit bus was used. 

In the light of the foregoing description, it will be clear to the skilled man that various 
modifications may be mode within the scope of the invention. 

25 

The present invention includes and novel feature or combination of features 
disclosed herein either explicitly or any generalisation thereof irrespective of whether 
or not it relates to the claimed invention or mitigates any or all of the problems 
addressed. 
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CLAIMS 

1 . Apparatus arranged to accept digital data as an input, and to process said 
data according to one of either the Secure Hash Algorithm (SHA-1) or Message 
Digest (MD5) algorithm to produce a fixed length output word, said apparatus 
5 including: 

• a plurality of rotational registers for storing data, one of said registers being 
arranged to receive the input data; and 

• data stores for initialisation of some of said plurality of registers according to 
10 whether the SHA-1 or MD5 algorithm is used, said data stores including fixed 

data relating to SHA-1 and MD5 operation; and 

• a plurality of dedicated combinatorial logic circuits arranged to perform logic 
operations on data stored in selected ones of said plurality of registers. 

15 2. Apparatus as claimed in claim 1 wherein the register arranged to receive the 
Input data Is arranged to receive said input data serially. 

3. Apparatus as claimed in claim 1 or 2 wherein the registers and combinatorial 
logic circuits are interconnected for communication via a pair of data busses. 

4. Apparatus as claimed in claim 3 wherein the registers and combinatorial logic 
circuits are connected to write to a respective bus via respective tristate buffers. 

« 

5. Apparatus as claimed in any one of the preceding claims wherein the 
25 apparatus includes a control circuit an-anged to generate Individually gated clock 

signals for each register. 

6. Apparatus as claimed in claim 5 wherein said control circuit is further 
arranged to generate Individual enabling signals to contnal the tristate buffers. 



20 



30 



7. Apparatus as claimed in any one of the preceding claims wherein the 
rotational registers are an-anged to be multiplexed prior to connection to a tristate 
buffer. 
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8. Apparatus as claimed in any one of the preceding claims wherein the 
combinatorial logic circuits include a copy circuit, a shift left circuit, a NOT circuit, an 
ADD circuit, an OR circuit, an AND circuit and an XOR circuit. 



9. Apparatus as claimed in any one of the preceding claims wherein the 
apparatus is implemented as an integrated circuit. 

10. Apparatus as claimed in any one of the preceding claims wherein the 
10 apparatus further includes circuitry arranged to perfonn digital signature creation or 

authentication. 



5 
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□ furnished subsequently to this Authority in written form. 
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in the international application as filed has been furnished, w y u uio ui?>oiu5>ure 

□ The statement that the information recorded in computer readable form is identical to the written sequence 
listing has been furnished. ^ 
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□ the description, pages: 

□ the claims, Nos.: 

□ the drawings, sheets: 
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(Any replacement sheet containing sucti amendments must be referred to under item 1 and annexed to this 
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Novelty (N) 



Inventive step (IS) 



, Industrial applicability (lA) 



Yes: Claims 

No: Claims 

Yes: Claims 

No: Claims 

Yes: Claims 

No: Claims 



2-10 
1 

2-10 
1-10 



2. Citations and explanations 
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Reference Is made to the following document: 

D1 : US 2002/066014 A1 (DWORKIN ET AL) 30 May 2002 (2002-05-30) 



Re item V 

Reasoned statement with regard to novelty, inventive step or industrial 
applicability; citations and explanations supporting such statement 



I The present application does not meet the criteria of Article 33(1 ) PCT, because 
the subject-matter of independent apparatus claim 1 is not new in the sense of 
Article 33(2) PCT, the reasons therefore being the following. 

.1 The application concerns an implementation of the SHA-1 and MD5 algorithms by 
using a compact ASIC architecture, wherein the same hardware is used for both 
algorithms. 

The apparatus of the application includes a plurality of shift registers (rotational 
registers) to receive the input data; registers to store constant values necessary to 
Initialise the algorithms; a plurality of logic circuits coupled to the input registers by 
means of selection units (multiplexers). 

Depending on the algorithm to be carried out the selection units configure the logic 
circuits accordingly and thereafter couple the logic circuits with the proper constant 
values. Tristate buffers are used to connect logic circuits with input registers. 
Individual clock signals are used for each register to reduce the power 
consumption. 

.2 Document D1 , which is provisionally considered as the closest prior art. discloses 
(see from paragraph 0004 to paragraph 0005; from paragraph 0009 to paragraph 
0022; from paragraph 0023 to paragraph 0027) an apparatus for implementing 
multiple cryptographic hash algorithms such as SHA-1 , MD4 and MD5. A register 
file is initialised to different data values; a logic circuit performs logical operations 
based on the selected cryptographic algorithm and provides a data value to a 
summing circuit that is summed with mode dependent constant values selected 
from registers, round and stepped generated data words to calculate the hash 
values for the stored input data. 
In particular D1 discloses: 
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I) a plurality of rotational registers for storing data, one of said registers being 
arranged to receive the input data (see from paragraph 001 8 to paragraph 
0020); 

II) data stores for initialisation of some of said plurality of registers according to 
whether the SHA-1 of MD5 algorithm is used, said data stores including fixed 
data relating to SHA-1 and MD5 operation (see from paragraph 009 to 
paragraph 0017; paragraph 0022; from paragraph 0023 to paragraph 0027); 

ill) a plurality of dedicated combinatorial logic circuits arranged to perform logic 
operations on data stored in selected ones of said plurality of registers (see 
from paragraph 0012 to paragraph 0017; from paragraph 0019 to paragraph 
0022; from paragraph 0024 to paragraph 0027). 

1 .3 Therefore, document D1 discloses an apparatus that Includes features identical to 
the features of the apparatus of present independent claim 1 . 
The subject matter of claim 1 lacks novelty with regard to the apparatus known 
from D1 and, consequently, does not meet the requirements of novelty as set out 
in Article 33(2) PCT. 



Dependent claims 2 to 4 and 6 to 10 do not contain any features which, in , 
combination with the features of any claim to which they refer, meet the 
requirements of the PCT in respect of inventive step, because the apparatus 
known from document D1 includes features that are equal or equivalent to the 
features of the apparatus of dependent claims 2 to 4 and claims 6 to 1 0 (see from 
paragraph 0004 to paragraph 0005; from paragraph 0009 to paragraph 0022; from 
paragraph 0023 to paragraph 0027). 

Thus, the subject matter of dependent claims 2 to 4 lacks an Inventive step 
contribution with regard to the apparatus known from D1 (Article 33 (3) PCT). 



3 The present application does not meet the criteria of Article 33(1 ) PCT, because 
the subject-matter of dependent claim 5 does not involve an Inventive step in the 
sense of Article 33(3) PCT for the following reasons. 

3.1 The apparatus according to claim 5 differs from that known from document D1 
only in that the feature of individually generated gated clock signal has been 
omitted. 

However, selecting common clock signal or individually generated clock signals is 
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merely one of several straightforward possibilities from which the skilled person 
would select, in accordance with circumstances, without the exercise of inventive 
skill (Article 33 (3) PCT). 



4 With regard to the assessment of the present claims 1 to 10 on the question 
whether they are industrially applicable, the following is stated. 
The subject matter of present claims 1 to 1 0 relates to an implementation of the 
SHA-1 and MD5 algorithms by using a compact ASIC architecture, wherein the 
same hardware is used for both algorithms, therefore it fulfills the requirements of 
industrial applicability as set out in Article 33 (4) PCT. 



5 The application does not meet the requirements of Article 6 PCT, because claims 
1 to 7 and 1 0 are not clear. 

Some of the features in the apparatus claims 1 to 7 and 10 relate to a method of 
using the apparatus rather than clearly defining the apparatus in terms of its 
technical features. The intended limitations are therefore not clear from this claim, 
contrary to the requirements of Article 6 PCT. 

In order to remedy this anomaly, a formulation of the claims in terms of functional 
means ("means adapted to") should be used. 



6 Contrary to the requirements of Rule 5. 1 (a)(ii) PCT, the relevant background art 
disclosed in the document D1 is not mentioned in the description, nor is this 
document identified therein. 

6. 1 Independent claim 1 is not in the two-part form in accordance with Rule 6.3(b) 
PCT, which in the present case would be appropriate, with those features known 
in combination from the prior art (document D1) being placed in the preamble 
(Rule 6.3(b)(1) PCT) and with the remaining features being included in the 
characterising part (Rule 6.3(b)(ii) PCT). 

6.2 The features of the claims are not provided with reference signs placed in 
parentheses (Rule 6.2(b) PCT). 

6.3 Furthermore, at page 14, last paragraph, the description contains general 
statements that the extent of protection may be expanded in some vague and not 
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precisely defined way. Such general statements shall be deleted as contrary to 
Article 6 PCT, cf. also PCT Preliminary Examination Guidelines, C-lll, 4.3a. 
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